New MX Stable Release Candidate: MX12-26

New MX Stable Release Candidate: MX12-26

Last week Meraki released MX12-26 as the new stable release candidate firmware for MX security appliances. For those running Meraki MX networks, this is kind of a big deal.

Let me take you back to December, 2016. MX was about to release the largest single firmware update in the product’s history – MX12. That single upgrade gave MX customers access to a number of significant enhancements, including:

  • A massively improved malware inspection engine – Cisco Advanced Malware Protection (goodbye Kaspersky). This unlocked MX customers running the advanced security license to the world of Talos’ security intelligence research and access to the global AMP threat cloud.
  • SD-WAN. This was without a doubt the biggest feature to drop in MX12. While other players where making SD-WAN appliances, Meraki added it as a feature. For free. This single enhancement instantly promoted the Meraki’s MX SD-WAN solution to the largest SD-WAN platform in the wild (and still is).
  • DC-DC failover automation was added to the AutoVPN protocol. This made multi-homed data center WAN SD-WAN deployments resilient with zero extra configuration effort. Running overlapping data center supernets was now handled seamlessly in failure situations. A great example of better by default.
  • 802.1X port authentication for MX64, MX64W, MX65, and MX65W platforms. The all-in-one units received proper wired authentication on LAN switch ports.
  • Significant sync improvements to MX warm spare. This was especially helpful for data center concentrator installs that required added state resiliency.
  • And much, much more.

It was awesome. Customers were excited to have access to all the new capabilities and Meraki delivered on it’s longstanding tradition of feature velocity.

As customers upgraded to MX12, Meraki learned a few things they could have done better and quickly got to work fixing bugs in AMP inspection, SD-WAN UI tweaks, and generally getting the unexpected kinks worked out.

With MX12 shipped, the while Meraki Engineering team quickly got to work cranking on their next round a feature deliverables planned for MX13.

Tradeoffs and Tough Choices

Meraki’s development operates in an iterative way where security patches and bug fixes are always rolled into the next major code release. That means that all the MX security patches and AMP bug fixes were added to MX13, not the mainline MX12.

For customers who needed fixes and were willing to roll beta firmware, MX13 was solid. MX13 was just a fork of MX12, so it was highly stable for existing features. In spite of that, some customers organizational policies require RC code – leaving them patiently waiting (I’m being kind) for a new stable candidate release (all the while running increasingly dated firmware that was getting stale).

Why did it take so long to ship an updated Stable Release Candidate?

It’s complicated.

Some of it is just adding more rigorous code quality testing as the Cisco Meraki platform matures. Cloud adoption continues to grow at double-digit numbers which means it’s increasingly important that firmware labeled stable, is.

One of the new features introduced in MX13 is the ability to add a static IP address to MX appliance WAN (uplink) interfaces remotely via the cloud dashboard. It’s been a longstanding ask and the implementation had to be done carefully. This is a “cloud managed” appliance after all. If you don’t add automated rollback mechanisms after an improper static IP is assigned, you risk losing all remote management to the device.

To further complicate things, it turns out that several of the major ISPs in the US use a widely deployed cable modem that doesn’t handle MX uplink IP changes well. As in it drops connectivity to the MX by not respecting the new assignment. This isn’t a MX problem, but its impact would deliver a terrible experience for enough customers that it wouldn’t be good to ship as stable RC.

Which brings us to today.

Meraki just pushed an updated iteration of MX12 as the latest recommended stable firmware, not MX13. Why? Because delivering a stable release with an updated list of security fixes was too important to delay any further.

I think they made the right call. The tradeoff of waiting for ISPs to fix their kit wasn’t worth keeping MX customers stuck on 2016 firmware for another month.

So what’s actually different MX12-26? It primarily includes a long list of security patches that were previously gated to MX13/14 releases.

meraki mx12-26 firmware release notes

The full list can be found in the firmware changelog in Dashboard under Organization > Firmware Upgrades. I’ve also provided the CVE patch list below for reference.

MX12-26 CVE Fixes

CVE-2015-3138
CVE-2017-11108
CVE-2017-11541
CVE-2017-11542
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
CVE-2016-5131
CVE-2017-3135
CVE-2017-3136
CVE-2017-3137
CVE-2017-3138
CVE-2016-10087
CVE-2016-2217
CVE-2016-8864
CVE-2016-2776
CVE-2016-2775
CVE-2016-8615
CVE-2016-8616
CVE-2016-8617
CVE-2016-8618
CVE-2016-8619
CVE-2016-8620
CVE-2016-8621
CVE-2016-8622
CVE-2016-8623
CVE-2016-8624
CVE-2016-8625
CVE-2016-6304
CVE-2016-6306
CVE-2016-6303
CVE-2016-6302
CVE-2016-2179
CVE-2016-2181
CVE-2016-2182
CVE-2016-2180
CVE-2016-2178
CVE-2016-2177
CVE-2015-8899
CVE-2017-3731
CVE-2017-3732
CVE-2016-7055
CVE-2016-10002
CVE-2016-10003
CVE-2016-9131
CVE-2016-9147
CVE-2016-9444
CVE-2016-7922
CVE-2016-7923
CVE-2016-7924
CVE-2016-7925
CVE-2016-7926
CVE-2016-7927
CVE-2016-7928
CVE-2016-7929
CVE-2016-7930
CVE-2016-7931
CVE-2016-7932
CVE-2016-7933
CVE-2016-7934
CVE-2016-7935
CVE-2016-7936
CVE-2016-7937
CVE-2016-7938
CVE-2016-7939
CVE-2016-7940
CVE-2016-7973
CVE-2016-7974
CVE-2016-7975
CVE-2016-7983
CVE-2016-7984
CVE-2016-7985
CVE-2016-7986
CVE-2016-7992
CVE-2016-7993
CVE-2016-8574
CVE-2016-8575
CVE-2017-5202
CVE-2017-5203
CVE-2017-5204
CVE-2017-5205
CVE-2017-5341
CVE-2017-5342
CVE-2017-5482
CVE-2017-5483
CVE-2017-5484
CVE-2017-5485
CVE-2017-5486
CVE-2016-10229

Its important to note a couple additional points.

First, the MX250 and MX450 stable release is MX14-13. Z3 stable is MX14-16.

Also, the MX team is still working hard on shipping a stable release candidate for MX13 as quickly as possible. It will come with with several new and notable features including:

  • Layer 7-based configuration for SD-WAN
  • Static IP assignment via Dashboard (via Appliance Status page)
  • Device load monitoring
  • Uplink SLA for passthrough MXs (loss and latency reporting on the Appliance Status page)
  • Support for using a VIP on one uplink and not using a VIP on the other uplink when the MX is in a NAT HA configuration
  • Improved ingress and egress interface reporting within the NetFlow export

MX13 also has some major bug fixes that were not rolled into MX12-26, so that still might be the right path if you need a specific fix.

How To Upgrade to MX12-26

Upgrading an MX network or template is a very simple process with the new Firmware upgrades page in Dashboard. The complete step-by-step instructions can be found on the Meraki Documentation site or you can just reference the workflow below.

meraki mx firmware upgrade workflow

For those who were eagerly anticipating MX13 to drop as stable RC, this update might not get you excited. For customers who have been unable to access critical security patches due to RC concerns, this should get you patched and prepped for the forthcoming MX13 firmware.

Regardless, its great to see new firmware flowing again with more to come in the horizon. MX13 will be here shortly and MX14 (hello BGP) will follow. Onward.